Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

MSSQL Server Failed Logon

Detects failed logon attempts from clients to MSSQL server.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), j4sonCreated Wed Oct 11Updated Wed Jun 26218d2855-2bba-4f61-9c85-81d0ea63ac71windows
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application

Definition

Requirements: Must enable MSSQL authentication.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 18456
    condition: selection
False Positives

This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them

References
1
Resolving title…
cybersecthreat.com
2
Resolving title…
experts-exchange.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

MSSQL Server Failed Logon From External Network

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
218d2855-2bba-4f61-9c85-81d0ea63ac71
Status
test
Level
low
Type
Detection
Created
Wed Oct 11
Modified
Wed Jun 26
Author
Nasreddine Bencherchali (Nextron Systems), j4son
Path
rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml
Raw Tags
attack.credential-accessattack.t1110
View on GitHub